TL;DR: If you or someone you know uses a self-hosted WordPress site, consider disabling XMLRPC to mitigate this attack.

We’ve actually been tracking this for a few weeks (first attack spotted on 2015/Sep/10), and it keeps getting more traction and becoming more popular. Instead of going against wp-login.php (which can be easily blocked or protected via .htaccess) or doing a single attempt against xmlrpc, attackers are leveraging the system.multicall method to attempt to guess hundreds of passwords within just one HTTP request.